cyber enthusiast

SkyDog Con CTF – The Legend Begins

Over but not forgotten.

Goal of Sky Dog Con CTF

The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Enumeration

nmap -p- -T4 -sV -v 192.168.2.18

Looks like there is a web server running and the SSH port is open.
Let ’s start with the web server first.
Looking at the webpage of 192.168.2.18 there is only a picture of SkyDog. Would that be the first flag (A Picture is Worth a Thousand Words)? Saving the picture and checking EXIF.

Looks like I found the first flag. On the the next one. When do Androids Learn to Walk? A reference to robots.txt?

http://192.168.2.18/robots.txt >> flag{cd4f10fcba234f0e8b2f60a490c306e6}
Got flag number 2 and a whole list of directories to explore. May be hint number 3 gives direction? Who Can You Trust? After I run nikto the directory /Setec/ caught my attention.
It held a picture with the text ‘too many secrets’ from the movie ‘Sneakers’.
Off course: Setec Astronomy > too many secrets. This VM was made by a movie buff LOL.

Because there was another picture, I started with checking the EXIF data. Nothing. Then I thought, there are too many secrets……so let’s try steghide. After different unsuccessful attempts, I gave up on the picture and looked at the page itself. Inside the source there was a google tracking script. Not really useful. But there was an odd thing about the script itself. It looks like the scipt was signed by NSA agent Abbott AKA Darth Vader. Another movie reference, because James Earl Jones played NSA Agent Bernard Abbott in the movie Sneakers and he delivered the voice of Darth Vader. I’ve been so focussed on the picture itself, I hadn’t seen that the picture resided in the directory /Astronomy/. Inside this directory there was a zip file called Whistler.zip.
Having the wiki site of Sneakers still open, it was soon clear that the filename itself was another reference to the movie. Irwin “Whistler” Emery was a blind phone phreak.

Let’s unpack the zip file. Password protected. Bummer. Let’s try some words from the movie itself. No luck. Then it’s time for some brute force. Let’s load up the file in fcrackzip. I choose the rockyou wordlist and voila. Got the password.

Inside the zip file was the third flag (flag{1871a3c1da602bf471d3d76cc60cdb9b}) and a file called ‘QuesttoFindCosmo’.

QuesttoFindCosmo

The clue inside the textfile was ‘Time to break out those binoculars and start doing some OSINT’.

Because this CTF was filled with references from the movie ‘Sneakers’, I assumed this was another one. In the filename was the word Cosmo. After checking wiki again it was clear that Cosmo was a character from Sneakers played by Ben Kingsley. There were a few words that I could use in a Google search.

“Cosmo” AND “Ben Kingsley” AND “binoculars”

The result was a site with the movie script (http://www.thealmightyguru.com/Reviews/Sneakers/Docs/Sneakers-Script.txt). When looking for the word ‘binoculars’ there were 4 entries. One of them in a piece of text containing the words “binoculars, flag, Cosmo……and PlayTronics). This last word was important in the text. So hopefully it’s also important in finding the next flag.

PlayTronics! Yes! Let’s check it out.
And we have another flag (flag{c07908a705c22922e6d416e0e1107d99}).

Wireshark

Next to the flag was also a pcap file with the filename: companytraffic.
Let’s fire up Wireshark and analyze the pcap file.

Inside the pcap file there is an audio file. After carving it out and playing it, it is another reference to the movie ‘Sneakers’. This time it’s the part where Werner Brandes identifies himself with the next phrase: “Hi, my name is Werner Brandes. My voice is my
passport. Verify me.”. But how does this help me with finding the next clue?

I’m stumped. I scoured the internet for a clue. I kept reading the script part concerning the audio message, but nothing. To avoid tunnelvision I started to look to other things. I went back to the hashes used by the flags and noticed they were md5 hashes. Why not check if they’re known passwords.

The last recovered flag was ‘leroybrown’. Back to the movie script. It seems the name Leroy Brown comes up in the form of a song. Just before the part with the text from the carved file. Coincidence?

SSH

Hadn’t tried SSH because of the missing username/password.
leroy:brown
leroybrown:My voice is my passport. Verify me.
leroybrown:Hi, my name is Werner Brandes. My voice is my passport. Verify me.
And a whole lot of different combinations, but nothing.
Time for hydra. I made a word-list from the movie script and used it with hydra.